Crime Investigation is a scientific exercise that follows scientific procedures; each procedure is meticulously adhered to so that failure to follow the procedure could make the difference between solving the crime and not solving the crime. The procedure is what is called ‘General Procedure of Crime Investigation’ in the title above and it is chronologically listed below:-
NB: - The main way to know that a computer crime has been committed is if the person hit by the ICT-Criminals reports it.

INVESTIGATION PLANNING;

The investigator should plan his work to enable him to conduct his investigations in an efficient and timely manner. The plan should be based on knowledge of the nature of the case one is investigating. It should be made amongst other things to cover:

1. Acquiring knowledge on the victim (Victimology),

2. Establishing the vulnerability of the available security system,
3. Crime scene processing,
4. Evaluation of scene evidence,
5. Crime Classification,
6. Profiling the offender,
7. Crime Mapping,
8. Investigative consideration,
9. Performing Investigation Test,
10. Analysing the results,
11. Reporting the results/ surrendering the case to the prosecutor,

Planning should be continuous process throughout the engagement. The Investigation plan should be written with time and event schedules where possible. At the soonest possible point, the investigator needs to identify the resources required to carry out the investigation. Any restrictions on the investigation need also to be written down; inability to obtain sufficient evidence for any reason e.g. lack of resources or lack of sufficient time.

VICTIMOLOGY

The study of the victims: An examination on every facet of their lifestyle, background, health, economic status and physical characteristics. It is hoped that through an in-depth examination of the victim, we may know the perpetrator a little better. Victimology is important in the overall investigative process because it not only tells us of whom the victims were their health, personal history, social habits (hobbies) and personality, but also provides ideas as to why they were chosen as victims. In many situations the offender will hold back from choosing a victim until one that meets his needs comes along, possibly leading to a successful arrest. In our case the victim considered is the victim of ICT-Crimes. Specific questions asked therefore include;

• What groups of individuals or organisations are in danger of becoming victims of computer crimes?

• What makes the specific victim a target?
• What makes the victim vulnerable?
• Is the victim a victim of choice or a victim of opportunity?
• Who really is the victim?
• What does the victim do (professionally & as a hobby)?
• How many people have the victim completely opened up to and therefore know him very well?
• Are administrators competent? Friendly or authoritarian? Do they have exploitable personal weaknesses? Can they be bullied, seduced or side stepped?
• Is the culture of the organisation security literate?
• Does the victim have any known enemies/ rivals?
• Does the victim have any known friends? Etc.

Victimology is as has been said above is concerned with objectification of social, and psychology, of (in our case) individuals/organisations who have become victims of ICT-Crimes.

CRIME CLASSIFICATION

Crime Classification will guide the investigator to know the kind of criminals he is dealing with so that he can acquire the necessary resources to handle the investigation appropriately. At this stage he is expected to answer questions such as:

1. What crime was committed, is it card forgery, ATM fraud, money laundering etc.?

2. Does the crime scene reflect a methodical and organised criminal, or
3. Does it reflect a disorganised one who made no effort to conceal his tracks?
4. Was ICT the primary crime or was it just a vehicle upon which other crimes may be marketed or committed e.g. Child pornography, violation of copy right laws.

FORENSIC PROCEDURES & FORENSIC FINDINGS

Gathering of appropriate evidence for criminal prosecution is the Science of ‘ICT Criminalistics’, ‘Cyber-forensics’, ‘forensic-computing’, or ‘digital forensics’; and can be quite complex an issue. This is because of the transient and intangible data that one often deals with, more so in a network environment. Networks often pose a problem of identity for example that of connecting a virtual person to a real life person. Moreover, the stickiness of data poses an integrity problem. This is to say that some times data that is not necessarily yours in origin, or even data that may not be in your know can be found in your possession. Moreover, this data can be easily interfered with or modified and therefore poses a major investigative challenge. In this stage of the investigation, the investigator has processed the crime scene and identified the evidence left behind that may link the perpetrator to the crime scene and particularly the crime itself. Sometimes the findings may inform the investigators of how exactly the crime was perpetrated. This evidence is collected, collated and stored for the purpose of presentation before a court of law.

Unlike other criminal activities, the focus of the investigator is not necessarily trace evidence but rather data. This is not to say that trace evidence does not have a place in ICT-Crime investigation but rather that it is not the main evidence sought. It is important for the investigator to be able to reconstruct the crime from the moment of conceptualisation to the completion of the crime. To do this the investigator must develop an accurate story from the forensic findings and fill up the gaps with what we have called above investigative consideration. Below we discuss procedures if adhered to will ensure the best chance of evidence being recovered in uncontaminated manner and therefore acceptable before the court of law.

A Single-Evidence evidence Form helps the investigator in recording the forensic findings systematically. It dedicates a page for each item retrieved for a case. It allows the investigator to record what was done to the evidence each time it was taken from the storage locker. It is also necessary to keep a Multi-Evidence is basically a form that summarises the details of all the single-Evidence form related to the said case.

Unlike other crimes, ICT-Crimes offer the following specific challenges:

• Difficulty in locating the place of crime,

• Weak links between chains in an evidence system,
• Impossibility to watch and fix evidence visually,
• Wide usage of coded information by criminals.

The procedure for digital forensics involves a number of stages: (i). Identifying what data may be available and where it may be found. (ii). Preserving such data in a way that minimizes interference. (iii). Collating such data for intelligence and evidential purpose. (iv). presentation of the data in a court of Law. The following key issues should be considered as standard forensic procedures, when processing a computer crime scene and including investigative considerations to be followed up on:

Victims Premises:

Investigator must obtain authorisation from authorities such as those who have commissioned the investigation in case of a private case and a magistrate in case it is a case of public interest.

• First secure the crime scene.

• Move people away from computers and power supply.
• Remove battery from laptops and palmtops that are switched off.

Note that you will need a search warrant before you can be allowed to process suspect’s computer at home or any other place. This is an important issue, because without authorisation, evidence gathered may not be accepted in trial as legitimately collected. The rule of law of evidence states that evidence collected illegally is not acceptable in the courts of law. (more about Search Warrant is discussed ahead).

Always record all your activities at home or any other place. anything which may related to case should fully recode, for instance, Location, Time, Date, Serial Number, etc.

The stolen data must be found in the suspects’ computer.

Process all storage equipments such as the PC’s hard drive and diskettes using hard line analysers to restore deleted information. Soft ware examples include; easy restore utilities, acronis recovery expert, PC Inspector and easy recovery professional at the forensic laboratory.

Analysis Evidence

All collected evidence must be analyse to extract the evidence to answer, “who, when, why and how” questions. The main challenge in this process is to check and run, unknown programs, unknown files, to find out what is the result. NB. Empty recycle bin is no longer a safe option to discard information because it is now possible to retrieve a document that has been overwritten up to seven times.

INVESTIGATIVE CONSIDERATIONS;

Investigators need to be aware of all the probable causes of the crime that is fraudulent intent, negligence, abuse of power, sabotage, and terror etcetra. It is necessary to discover the IP-address of the originator of the criminal action. IP-address is a unique number which identifies the relevant resource i.e. Pc, Mobile phone e.t.c. The address is then linked logically to the originators domain name, e.g. xxxx@swiftkenya.or.ke. Whereas the IP-address is unique, the persons using it usually vary e.g. in a cyber-café. Sometimes a suspect has been identified positively, but there is insufficient evidence to sustain a conviction. In such cases, surveillance must be undertaken especially to monitor suspect’s activities in and around ICT-systems. Video recording his activities as well as recording his computer time using the necessary software shall be required.
Moreover, investigative consideration will seek to find answers to the following questions:

What risk did the offender take in perpetrating the crime?
What security System was in place?
How many people are privy to the passwords?
How often are passwords changed?
Does the organisation have an IT- Security Policy? (What are its Provisions?)
For all suspects note irregular increase in bank account deposit?
Investigate into registration of new companies by suspects?
Further look into increase in share capital in companies associated to the suspect.
Note irregular spending habits amongst suspects.

Get the history of whom the suspect has been communicating to on phone i.e. Sms and actual calls; from the relevant CSP.
Carry out a background check on all people in communication with the suspect. (This information can be found from telephone service providers, it is the policy of the government of Kenya that it “…will create Statutory obligations of telecommunications Service providers to assist law enforcement in executing legal intercept pursuant to the security needs of the country” pg 34 of National Information & Communications Technology (ICT) Policy – by Ministry of Information & Communication January 2006).
Especially in cases falling in the class of professional ICT-Crimes, investigate possibility of cultic activities and Satanism.
All these questions have some investigative value because there answers are admissible in a court of law as facts forming part of the same transaction. Especially when they seem to incriminate a person suspected to have participated in the said crime. Moreover they can serve as a finger to point out a suspect.

SEARCH WARRANT CONSIDERATION

Once a suspect or suspects have been identified, investigators would need a search warrant to further build there case against a suspect. There are many storage devices that may be encountered during the search and may be valuable sources of evidence if handled in an acceptable manner so as not to compromise evidence acceptabity. It is important to remember that an investigation must satisfy the legal standards i.e. proving the accused guilty beyond a reasonable doubt. For this reason the stolen data as well as the stealing material must be found in the possession of the suspect. Hence some of the places the investigator must find a search warrant for include the following;

Suspects office, house or both. Focus will be to find information on the victim if any, or information that could show design or the suspects plans, this will help in proving intention and motive.

The crime scene is the whole house; storing devices such as diskettes should be collected and processed. It should be remembered that the litter bin could actually contain the material that is being sought for.

Consider the PC if any as another crime scene.

Any information found in the possession of the suspect goes to link the suspect to the crime.

Reporting and Presentation after Analysis at the Computer Forensic Laboratory

Reporting and Presentation is the conclusions and corresponding evidence from the investigation needs to convince an authority. The following document must be presented to an authority:

Document the entire seize the evidence and chain of custody, document all the gathered evidence, document what was examined and what was the result.
 
Data Recovery specialist will take several careful steps to identify and attempt to retrieve possible Data that may exist on a subject computer system:

1. Protects the subject computer system during the Recovery examination from any possible alteration, damage, data corruption, or virus introduction.

2. Discovers all files on the subject system. This includes existing normal files, deleted yet remaining files, hidden files, password-protected files, and encrypted files.
3. Recovers all (or as much as possible) of discovered deleted files.
4. Reveals (to the extent possible) the contents of hidden files as well as temporary or swap files used by both the application programs and the operating system.
5. Accesses (if possible and if legally appropriate) the contents of protected or encrypted files.
6. Analyzes all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes but is not limited to what is called 'unallocated' space on a disk (currently unused, but possibly the repository of previous data that is relevant evidence), as well as 'slack' space in a file (the remnant area at the end of a file, in the last assigned disk cluster, that is unused by current file data, but once again may be a possible site for previously created and relevant evidence).
7. Prints out an overall analysis of the subject computer system, as well as a listing of all possibly relevant files and discovered file data. Further, provides an opinion of the system layout, the file structures discovered, any discovered data and authorship information, any attempts to hide, delete, protect, encrypt information, and anything else that has been discovered and appears to be relevant to the overall computer system examination.